Incident Response
A technician is seeing high volumes of 403 Forbidden errors in a log. What type of network appliance or server is producing these logs?
403 Forbidden is an HTTP status code, so most likely a web server. Another possibility is a web proxy or gateway.
NetFlow
A Cisco-developed means of reporting network flow information to a structured database. NetFlow allows better understanding of IP traffic flows as used by different network applications and hosts.
What type of data source(s) would you look for evidence of a suspicious MTA in?
A Message Transfer Agent (MTA) is an SMTP server. You might inspect an SMTP log or the Internet header metadata of an email message.
playbook
A checklist of actions to perform to detect and respond to a specific type of incident
Security orchestration, automation, and response (SOAR)
A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment.
SIEM dashboard
A console presenting selected information in an easily digestible format, such as a visualization.
Tabletop
A discussion of simulated emergency situations and security incidents.
call list
A document listing authorized contacts for notification and collaboration
Diamond Model of Intrusion Analysis
A framework for analyzing cybersecurity incidents.
black hole
A means of mitigating DoS or intrusion attacks by silently dropping (discarding) traffic.
A threat actor gained access to a remote network over a VPN. Later, you discover footage of the user of the hacked account being covertly filmed while typing their password. What type of endpoint security solution might have prevented this breach?
A mobile device management (MDM) suite can prevent use of the camera function of a smartphone.
kill chain
A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion.
Syslog
A protocol enabling different appliances and software applications to transmit logs or event records to a central server.
internet header
A record of the email servers involved in transferring an email message from a sender to a recipient.
Your consultancy includes a training segment. What type of incident response exercise will best represent a practical incident handling scenario?
A simulation exercise creates an actual intrusion scenario, with a red team performing the intrusion and a blue team attempting to identify, contain, and eradicate it.
runbook
An automated version of a playbook that leaves clearly defined interaction points for human analysis.
CIRT
Cyber Incident Response Team
Retention Policy
Dictates for how long information needs to be kept available on backup and archive systems. This may be subject to legislative requirements.
What configuration change could you make to prevent misuse of a developer account?
Disable the account.
True or false? SOAR is intended to provide wholly automated incident response solutions.
False—incident response is too complex to be wholly automated. SOAR assists the provision of runbooks, which orchestrates the sequence of response and automate parts of it, but still requires decision-making from a human responder.
True or false? It is important to publish all security alerts to all members of staff.
False—security alerts should be sent to those able to deal with them at a given level of security awareness and on a need-to-know basis.
True or false? The "first responder" is whoever first reports an incident to the CIRT.
False—the first responder would be the member of the CIRT to handle the report.
dump file
File containing data captured from system memory.
You are supporting a SIEM deployment at a customer's location. The customer wants to know whether flow records can be ingested. What type of data source is a flow record?
Flow records are generated by NetFlow or IP Flow Information Export (IPFIX) probes. A flow record is data that matches a flow record, which is a particular combination of keys (IP endpoints and protocol/port types).
correlation
Function of log analysis that links log and state data to identify a pattern that should be logged or alerted as an event.
metadata
Information stored or recorded as a property of an object, state of a system, or transaction.
Which attack framework provides descriptions of specific TTPs?
MITRE's ATT&CK framework.
attack framework
Models and tools used to analyze threat actor tactics, techniques, and procedures.
Which software tool is most appropriate for forwarding Windows event logs to a Syslog-compatible server?
NXlog is designed as a multi-platform logging system.
What low-level networking feature will facilitate a segmentation-based approach to containing intrusion events?
Network segmentation is primarily achieved by virtual LANs (VLANs). A VLAN can be isolated from the rest of the network.
What are the six phases of the incident response life cycle?
Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.
NXlog
Software optimized for multi-platform log collection and aggregation.
Incident Response Plan
Specific procedures that must be performed if a certain type of event is detected or reported.
quarantine
The process of isolating a file, computer system, or computer network to prevent the spread of a virus or another cybersecurity incident.
You are providing security consultancy to assist a company with improving incident response procedures. The business manager wants to know why an out-of-band contact mechanism for responders is necessary. What do you say?
The response team needs a secure channel to communicate over without alerting the threat actor. There may also be availability issues with the main communication network, if it has been affected by the incident.
You are investigating a client workstation that has not obtained updates to its endpoint protection software for days. On the workstation you discover thousands of executable files with random names. The local endpoint log reveals that all of them have been scanned and identified as malware. You can find no evidence of any further intrusion on the network. What is the likely motive of the threat actor?
This could be an offline tainted data attack against the endpoint software's identification engine.
Following a loss of critical IP exfiltrated from the local network to a public cloud storage network, you decide to implement a type of outbound filtering system. Which technology is most suitable for implementing the filter?
This task is suited to data loss prevention (DLP), which can block the transfer of tagged content over unauthorized channels.
adversarial AI
Using AI to identify vulnerabilities and attack vectors to circumvent security systems.
sFlow
Web standard for using sampling to record network traffic statistics.
You need to correlate intrusion detection data with web server log files. What component must you deploy to collect IDS alerts in a SIEM?
You need to deploy a sensor to send network packet captures or intrusion detection alerts to the SIEM.